CN1264322C - Method for preventing un-authorised access to network - Google Patents
Method for preventing un-authorised access to network Download PDFInfo
- Publication number
- CN1264322C CN1264322C CN 00814120 CN00814120A CN1264322C CN 1264322 C CN1264322 C CN 1264322C CN 00814120 CN00814120 CN 00814120 CN 00814120 A CN00814120 A CN 00814120A CN 1264322 C CN1264322 C CN 1264322C
- Authority
- CN
- China
- Prior art keywords
- access
- network
- mark
- record
- licencing key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/38—Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections
- H04M3/382—Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections using authorisation codes or passwords
Abstract
The invention enables automatic prevention of access to a network connection for a service or a network requiring an access authorization code when a non-valid authorization code is determined after several demands on the service or network have been made, thereby facilitating recognition of an un-authorized access attempt.
Description
If the use authority password enters the network (for example communication network, computer network etc.) of a validated user colony with restriction, must prevent that then unauthorized person from finding an effective licencing key by attempting possible password.
If licencing key plays the effect of User Recognition simultaneously or does not discern, promptly there is not special customer identification number, then the user is blocked owing to the licencing key of repeatedly input error, can not be stored in the user record that has existed.Equally also the number of times that mistake is attempted can't be stored in the counter
Above-described situation for example is present in the following situation, the client of a communication network operator is for example by means of the business of " roaming service ", when one telephony interface is selected its operator arbitrarily, use its private distribution map, and can close the account by its user account number.This moment, the user utilized its licencing key to realize identification.If one does not have the people of legal identity can find licencing key, allow everyone defrayment of licencing key just can utilize the service of operator.
The abuse condition that another kind it is contemplated that for example is to select to enter certain computer system by modulator-demodulator.
Introduce some present employed mechanism below.
A) access attempts that carries out with invalid licencing key will be stored in the log file.Operator can identify illegal access attempts when analyzing these files, promptly examination is all over the behavior of password.But can not stop a large amount of licencing key behavior that password and abuse found of attempting.
B) " single digital is poor " (SDD method) can be discerned repeatedly the input of invalid password, just differs a numeral between these passwords.If determined in one specific period, to have this password of specific quantity to occur, then sent warning signal to operating desk.Though information can be learnt in advance than said method by operator, other shortcoming still exists.In addition, if adopt random order to carry out password attempt, then can walk around this mechanism.
C) identify certain invalid licencing key after, operator of demand working.Though this method can provide the very fail safe of high level, needs personnel's expense, and relay station is on duty necessary 24 hours every days.
Task of the present invention is to overcome above-described shortcoming.
The solution of described task is embodied in the described method of claim 1 and claim 5 or the 6 described serving network node.
The present invention is further illustrated for the contrast accompanying drawing below, and accompanying drawing comprises two figure.
The present invention can realize blocking automatically (network) access side of attempting access service or network, used licencing key when inserting described network, condition be through repeatedly to the service or the request of network, confirm that it has used invalid licencing key, thereby be identified as abuse.This method has been utilized feature that a kind of calling party that is notified to serving network node or access network nodes inserts or mark (for example by means of per call time transmit access party call number), can identify identical access side through this feature.
For a malicious user, find an effective licencing key thereby can't test a large amount of passwords.With said method a) with b) compare, whether solution of the present invention provides a kind of effective protection, and on the scene irrelevant with operating personnel.
The present invention has broken away from the common protection to certain object (for example customer identification number), is about to this object and blocks, and prevents further access attempts.The present invention can solve following problem, does not promptly have a kind of like this situation of object.The effect of mechanism of the present invention is " other end ", i.e. access side itself.The principle of scheme of the present invention all the time could be effectively in following situation, promptly be not stored explicitly on customer identification information in the serving network node (customer identification number for example, smart card), the transmission position of licencing key then can be confirmed based on a feature clear and definite, that can not distort.
Contrast Fig. 1 and Fig. 2 are described in detail flow process of the present invention below, wherein for example from the request of a communication network observation to this communications network service.The network node of being responsible for providing service is hereinafter referred to as serving network node, and the relay station that it is connected with user with the request service has nothing to do.Described user for example can belong to the network of another operator.
Require the user (user) of service at first to be submitted to a network node, employed interface when this node administration user asks to communication network.This network node is called access side's network node (perhaps being called access side's relay station in the access server situation of communication network or computer network) below.
The trunking of the side's of access network node is transferred to described serving network node with request.This serving network node (trunking of the serving network node of saying so exactly) requires to show licencing key through user's access network nodes then.Desired licencing key is transferred to serving network node through access network nodes again.In this communication process of access network nodes and serving network node, also transmit a mark of described access side, call number for example, this mark is transferred to serving network node.The transmission of described call number for example can together be carried out with service request, perhaps together carries out with the transmission of licencing key, also can separately carry out
The trunking of serving network node checks at first subsequently whether the call number for the transmission that serves as a mark exists blockade.Block if exist, then with service request cancellation (remove and call out).If there is no block, then the validity of the licencing key that transmitted by means of the inspection of a service access device of trunking.
If relay identifies an invalid licencing key, then information is notified to anti-swindle part (being designated hereinafter simply as the FP process) and finishes this service request.Described FP process (as process independently) is irrelevant with trunking, so can not cause burden to the latter's dynamic characteristic.
Described FP process comprises a table (be called for short the FP table, see Fig. 2), all writes a record for each invalid licencing key in table, and this record comprises described invalid licencing key, calls out the call number (A number) of access side, date, time and called-number.This table is searched the record with identical A number subsequently.If found record with identical A number, then situation about repeatedly occurring according to this record (for example according to this mode that is recorded on the time sequencing) is analyzed, whether this A number is blocked, do not allow it proceed to connect trial to relevant operator.Thisly for example be that this quantity that is recorded in the preset time scope is counted to the mode a kind of simple analysis method of carrying out on the time sequencing of record.Reach or surpassed a given threshold value if find the quantity of this record, then block this A number, refuse him and service or relevant carrier network are proceeded to connect attempt.
Described blockade is (the seeing Fig. 1 or Fig. 2) realized by the record in the lock list, and trunking will attempt searching the A number at each connection in table.If in lock list, found this A number, then will connect and attempt refusal.Described lock list adopts (numeral) tree tissue, can realize effective dynamic characteristic.After having occurred blocking, will notify operator, and can should block by order cancellation.This lock list is semi-permanent, thus set be locked in the influence that can not be subjected to all recovery measures in the network node.
Claims (9)
1. a method that prevents un-authorised access to network comprises,
-one network node all requires to show a licencing key by the access network nodes that this network insertion side managed when receiving from the service request of any one access side or network insertion request,
In-the scope of related communication between described network node and access network nodes, also transmit a mark that is used to insert described network requests,
If-there is not blockade in described access mark, the validity of the licencing key that is transmitted by described network node inspection then,
If it is invalid that the result of-above inspection is a licencing key, rejecting said request then, and with described access marker stores in a storage device,
-described storage device is searched the record with identical access mark that has existed,
If-think that through assessment the character that this record repeatedly occurs belongs to illegal access attempts, other connections of desiring the access attempts of service of entering or network that then will have described access mark are blocked.
2. the method for claim 1 is characterized in that, checks that the mode of the character that described record occurs is, whether the quantity of this record reaches in a given time interval or surpassed a given threshold value.
3. method as claimed in claim 1 or 2 is characterized in that, if in diagnostic procedure, described access network nodes no longer inserts mark to described network node transmission, then
-will ask refusal,
-or will call out to insert and be connected with an operator,
-or the operator of network node adjust this processing of request mode.
4. method as claimed in claim 1 or 2 is characterized in that, in case confirm that certain effective licencing key is relevant with described identical access mark, then will not remove the record of invalid licencing key from described storage device.
5. network node, it
-when receiving, require it to show a licencing key from the service request of other network nodes or network insertion request,
-in the process that other network nodes are diagnosed, receive access mark from the latter,
If-there is not blockade in described access mark, then check the validity of the licencing key that is transmitted,
If it is invalid that the result of-above inspection is a licencing key, rejecting said request then, and with described access marker stores in a storage device,
-search the record that has existed by described storage device with identical access mark,
If-think that through assessment the character that this record repeatedly occurs belongs to illegal access attempts, other connections of desiring the access attempts of service of entering or network that then will have described access mark are blocked.
6. network node comprises
A) hop, it
-when receiving, require it to show a licencing key from the service request of other network nodes or network insertion request,
-with the communication process of other network nodes in, receive access mark from the latter,
If-there is not blockade in described access mark, check then whether the licencing key that is transmitted is effective,
If it is invalid that the result of-above inspection is a licencing key, perhaps there has been blockade, rejecting said request then,
B) anti-swindle part, it
-have a processing priority that is lower than described hop,
If it is invalid that the result of-above inspection is a licencing key, then obtain sending the access mark of the access side of service request or network insertion request from described transmitting device,
-with resulting access marker stores in a storage device,
-search the record that has existed by described storage device with identical access mark,
If-think that through assessment the character that this record repeatedly occurs belongs to illegal access attempts, the access mark of then other being desired the connection trial of service of entering or network blocks.
7. as claim 5 or 6 described network nodes, it is characterized in that, check that the mode of the character that described record occurs is, whether the quantity of this record reaches in a given time interval or has surpassed a given threshold value.
8. as claim 5 or 6 described network nodes, it is characterized in that by the blockade of the realization of the record in a lock list to described access mark, and described lock list connects tree-shaped tissue.
9. as claim 5 or 6 described network nodes, it is characterized in that if in diagnostic procedure, described access network nodes no longer inserts mark to described network node transmission, then
-will ask refusal,
-or will call out to insert and be connected with an operator,
-or the operator of network node adjust this processing of request mode.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP99119949 | 1999-10-12 | ||
| EP99119949.8 | 1999-10-12 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1378737A CN1378737A (en) | 2002-11-06 |
| CN1264322C true CN1264322C (en) | 2006-07-12 |
Family
ID=8239142
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 00814120 Expired - Fee Related CN1264322C (en) | 1999-10-12 | 2000-10-12 | Method for preventing un-authorised access to network |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN1264322C (en) |
| DE (1) | DE10083125D2 (en) |
| WO (1) | WO2001028207A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101998575B (en) * | 2009-08-24 | 2013-04-24 | 华为技术有限公司 | Method, device and system for access control |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH05284228A (en) * | 1990-04-05 | 1993-10-29 | Texas Instr Inc <Ti> | Method for approving access to telecommunication service |
| US5559505A (en) * | 1992-05-20 | 1996-09-24 | Lucent Technologies Inc. | Security system providing lockout for invalid access attempts |
| DE59608618D1 (en) * | 1995-11-02 | 2002-02-28 | Siemens Ag | AUTHENTICATION DEVICE OF A COMMUNICATION NETWORK |
| DE19612662A1 (en) * | 1996-03-29 | 1997-10-02 | Ulrich Dipl Ing Seng | Method for checking the access authorization of an operator when accessing via a connection-oriented data network |
-
2000
- 2000-10-12 WO PCT/EP2000/010061 patent/WO2001028207A1/en active Application Filing
- 2000-10-12 CN CN 00814120 patent/CN1264322C/en not_active Expired - Fee Related
- 2000-10-12 DE DE10083125T patent/DE10083125D2/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| DE10083125D2 (en) | 2002-11-07 |
| CN1378737A (en) | 2002-11-06 |
| WO2001028207A1 (en) | 2001-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4531023A (en) | Computer security system for a time shared computer accessed over telephone lines | |
| US6353385B1 (en) | Method and system for interfacing an intrusion detection system to a central alarm system | |
| CA2524226C (en) | Speaker recognition in a multi-speaker environment and comparison of several voice prints to many | |
| US5003595A (en) | Secure dial access to computer systems | |
| US5606604A (en) | System and method for preventing fraud upon PBX through a remote maintenance or administration port | |
| US5056140A (en) | Communication security accessing system and process | |
| US8494144B2 (en) | System and method for controlled call handling | |
| US5365580A (en) | System and method of detecting unauthorized use of identifiers | |
| US20030070076A1 (en) | System and method for providing personal information about criminal offenders to a plurality of law enforcement agencies | |
| US20110135073A1 (en) | Methods to improve fraud detection on conference calling systems by detection of conference moderator password utilization from a non-authorized device | |
| Biskup et al. | Transaction-based pseudonyms in audit data for privacy respecting intrusion detection | |
| CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
| CN108616890A (en) | A kind of swindle ticket analysis system | |
| US8359009B2 (en) | Method for the reliable and targeted suppression of alarms in a monitoring and control center | |
| CN1264322C (en) | Method for preventing un-authorised access to network | |
| EP2345222B1 (en) | Lawful authorities warrant management | |
| CN112118578A (en) | Shielding system based on pseudo base station cellular multi-carrier communication | |
| Wallich | Wire pirates | |
| WO1999048242A1 (en) | Procedure and system for reliable and safe identification of a contracting party | |
| GB2322035A (en) | Computer connected to telecommunication network modem via buffer computer | |
| CN112448960B (en) | Internal network computer network management and control system using face recognition technology | |
| CN112947246A (en) | Control method of network monitoring management equipment | |
| CA2448530A1 (en) | Variable length called number screening | |
| RU53085U1 (en) | ACCESS SYSTEM FOR USERS ACCESS TO PRIVATE DATA THROUGH A COMPUTER NETWORK | |
| EP0511732A2 (en) | Data communication method and a data terminal equipment used therein |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: NOKIA SIEMENS COMMUNICATION CO., LTD. Free format text: FORMER OWNER: SIEMENS AG Effective date: 20080509 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20080509 Address after: Munich, Federal Republic of Germany Patentee after: Nokia Siemens Networks GmbH Address before: Munich, Federal Republic of Germany Patentee before: Siemens AG |
|
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060712 Termination date: 20091112 |